THREAT INTELLIGENCE ON A DATA EXCHANGE LAYER

US 20160197941A1
Filed: 09/29/2014
Published: 07/07/2016
Est. Priority Date: 09/29/2013
Status: Active Grant

First Claim

Patent Images

1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:

a network interface;

a DXL client engine operable for communicatively coupling the apparatus to a DXL enterprise security bus (ESB); and

one or more logic elements comprising a threat intelligence engine operable for;

aggregating reputation data for a network object via a plurality of DXL messages;

computing a composite reputation for the network object;

receiving from a DXL endpoint a DXL request message for a reputation for the object; and

providing the composite reputation via a DXL message.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.

Citations

25 Claims

1. A threat intelligence apparatus adapted for use on a data exchange layer (DXL), comprising:
- a network interface;
  
  a DXL client engine operable for communicatively coupling the apparatus to a DXL enterprise security bus (ESB); and
  
  one or more logic elements comprising a threat intelligence engine operable for;
  
  aggregating reputation data for a network object via a plurality of DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message for a reputation for the object; and
  
  providing the composite reputation via a DXL message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The apparatus of claim 1, wherein the DXL message for providing the composite reputation is a DXL response message directed to a private topic of the DXL endpoint.
  - 3. The apparatus of claim 1, wherein the DXL message for providing the composite reputation is a DXL message with an object reputation topic.
  - 4. The apparatus of claim 3, wherein the DXL message for providing the composite reputation comprises an expiry.
  - 5. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining permissions for a source of a DXL message;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting reputation data from the source to be included in the aggregating.
  - 6. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining permissions for a source of a DXL message;
      
      determining that the source does not have permission to act as a provider of object reputation data; and
      
      blocking reputation data from the source from being included in the aggregating.
  - 7. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining a weighted permission for a source of a DXL message;
      
      determining that the weighted permission is sufficient for the source to act as a provider of object reputation data; and
      
      permitting reputation data from the source to be included in the aggregating, comprising weighting data provided by the source according to the weighted permission.
  - 8. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - receiving a plurality of determinations that the object is suspect but has not been blocked; and
      
      assigning the composite reputation a score configured to block the object on the network or subject the object to additional scrutiny or deep analysis.
  - 9. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by all DXL endpoints on the network.
  - 10. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by a class of DXL endpoints on the network.
  - 11. The apparatus of claim 1, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining that the network object is a new object on the network, and that the new object has been encountered multiple times in a short span; and
      
      assigning the composite reputation a suspicious score.
  - 12. The apparatus of claim 1, further comprising a reputation store.
  - 13. The apparatus of claim 12, wherein the reputation store is a self-replicating NoSQL database.

14. One or more computer-readable mediums having stored thereon executable instructions for providing a threat intelligence engine operable for:
- subscribing to a data exchange layer (DXL) object reputation topic;
  
  aggregating reputation data for a network object via a plurality of object reputation DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message for a reputation for the object; and
  
  providing the composite reputation via a DXL message.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The one or more computer-readable mediums of claim 14, wherein the DXL message for providing the composite reputation is a DXL response message directed to a private topic of the DXL endpoint.
  - 16. The one or more computer-readable mediums of claim 14, wherein the DXL message for providing the composite reputation is a DXL message with an object reputation topic.
  - 17. The one or more computer-readable mediums of claim 14, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining permissions for a source of a DXL message;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting reputation data from the source to be included in the aggregating.
  - 18. The one or more computer-readable mediums of claim 14, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining a weighted permission for a source of a DXL message;
      
      determining that the weighted permission is sufficient for the source to act as a provider of object reputation data; and
      
      permitting reputation data from the source to be included in the aggregating, comprising weighting data provided by the source according to the weighted permission.
  - 19. The one or more computer-readable mediums of claim 14, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - receiving a plurality of determinations that the object is suspect but has not been blocked; and
      
      assigning the composite reputation a score configured to block the object on the network or subject the object to additional scrutiny or deep analysis.
  - 20. The one or more computer-readable mediums of claim 14, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - receiving a DXL message indicating that the network object has been blocked by a DXL endpoint; and
      
      publishing a DXL message indicating that the network object should be blocked by all DXL endpoints on the network.
  - 21. The one or more computer-readable mediums of claim 14, wherein aggregating reputation data for a network object via a plurality of DXL messages comprises:
    - determining that the network object is a new object on the network, and that the new object has been encountered multiple times in a short span; and
      
      assigning the composite reputation a suspicious score.
  - 22. The one or more computer-readable mediums of claim 14, further comprising a reputation store.
  - 23. The one or more computer-readable mediums of claim 22, wherein the reputation store is a self-replicating NoSQL database.

24. A method of providing a server engine, comprising:
- subscribing to a data exchange layer (DXL) object reputation topic;
  
  aggregating reputation data for a network object via a plurality of object reputation DXL messages;
  
  computing a composite reputation for the network object;
  
  receiving from a DXL endpoint a DXL request message for a reputation for the object; and
  
  providing the composite reputation via a DXL message.
- View Dependent Claims (25)
- - 25. The method of claim 24, further comprising:
    - determining permissions for a source of a DXL message;
      
      determining that the source has permission to act as a provider of object reputation data; and
      
      permitting reputation data from the source to be included in the aggregating.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McDonald, Edward T., Smith, Christopher, Hanson, Don R. II

Granted Patent

US 10,484,398 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/168 above the transport layer

THREAT INTELLIGENCE ON A DATA EXCHANGE LAYER

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT INTELLIGENCE ON A DATA EXCHANGE LAYER

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links